A rootkit is a type of malware that frequently used by a third party (usually an intruder) to gain access to a computer system intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. A rootkit typically hides logins, processes, threads, registry keys, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. Rootkits are capable of infecting boot drivers that executed during loading of an operating system (OS) and thus before any antivirus software is loaded on the system. Rootkits may also be embedded in operating system processes in a filter-like manner, so that any regular malware detection means cannot get information related to hidden software or software pieces.
One of the difficulties with detecting rootkits is due to the fact that, unlike viruses, rootkits typically activate themselves before the operating system has completely booted up upon startup of the computer, and rootkits usually acquire system privileges. Also, rootkits typically take steps to mask their existence, and prevent conventional antivirus detection mechanisms from identifying their existence. For example, a typical antivirus software invokes a system function call to identify the processes that are currently running. The rootkit intercepts the function call, and provides its own return parameters to the antivirus software, but masks its own process. Also, the rootkit typically hides the files in which it is stored from conventional antivirus mechanisms that check whether files contain known virus signatures.
Therefore, there is a need to improve detection of rootkits and similar types of malware.